Access-Control-Allow-Origin issues

[DonnEdwards]

Hi all, I am having a problem with Access-Control-Allow-Origin

I took the sample NetTalk Login code, and made a few cosmetic changes to reflect the name of my project, and built it and shipped it to a live server. See
http://kgoffice.co.za which instantly and gracefully redirects the user to https://kgoffice.co.za
Perfect!

If I use https://websniffer.cc/?url=https://kgoffice.co.za/ it shows (amongst other things in the header)

Code: [Select]

Access-Control-Allow-Origin: *which is correct, and the default.

However a lot of security review programs and websites complain that Access-Control-Allow-Origin should not be set to "*" but should be set to https://kgoffice.co.za

I tried changing it in the live server settings. See attachment ServerSettings.jpg
But this hasn't changed anything. https://websniffer.cc/?url=https://kgoffice.co.za/
still shows the Access-Control-Allow-Origin header as "*", even after closing the server and starting it again.

What should I be doing differently?

[Bruce]

which build are you on?

[DonnEdwards]

I was on build 11.25 but I have now updated to build 11.30, including all the other packages, and recompiled. Everything is working correctly now.

I guess in addition to RTFM I should add Check the version number 

[DonnEdwards]

The tests are working correctly, except for HTTP 404 and HTTP 403 errors. They are still giving
Access-Control-Allow-Origin: *
I'm not sure if this is a bug or by design. Either way, I can't see how it could be exploited.

[Bruce]

I'll see if I can tweak it for the errors...